With apologies to John Donne, ask not for whom the bells tolls, HIPAA business
associates, it tolls for thee! While it has been the law for
some time that business associates could be held directly liable
for breaches, enforcement actions against them have been few and
far between. But a sizable settlement announced today by the
Office for Civil Rights at the U.S. Department of Health and Human
Services (HHS OCR) reminds us that business associates are going to
be held to the same standards (and subjected to the same penalties)
as HIPAA covered entities.
This $2.3 million settlement involved CHSPSC LLC,